U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Transcription

1 U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE Privacy Impact Assessment Database Services (DBS) PTOI March 20, 2012

2 Privacy Impact Assessment This Privacy Impact Assessment (PIA) is a requirement of the Privacy Act of 1987 and OMB Memorandum 03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of A PIA documents the due diligence and oversight placed upon information associated with the project or system in question. Written from the System Owner s perspective for the American public, the PIA discloses what information is being collected, and how that information is protected. The intent is to build confidence that privacy information is secure, processes that utilize this information comply with Federal requirements, and more importantly, inform the privacy expectations of the American public. The Privacy Threshold Analysis (PTA) is a separate artifact that must be completed prior to beginning this PIA. In many cases, the PTA will be the only required artifact to satisfy DOC privacy considerations.

3 SYSTEM DESCRIPTION Database Services (DBS) is an Application information system, and provides a Database infrastructure to support the mission of USPTO Database needs. The DBS System is composed of a collection of various versions of Database systems. The subsystems within the DBS System are: Microsoft SQL Database Servers (MSSQL) Oracle (Oracle) MySQL (MySQL) MSSQL The Microsoft SQL databases management component is used by the USPTO Database Services Branch (DSB) to support USPTO applications with the retrieval and management of data in relational database management systems (RDBMS), database schema creation and modification, and database object access control management. The core of MSSQL is formed by a command language that allows the retrieval, insertion, updating, and deletion of data, and performing management and administrative functions. The only component for MSSQL that is covered under the DBSS Authorization Boundary is the database management components used to administer the MSSQL database instances within USPTO. The Database Services Branch manages and maintains database management software installed on enterprise and application servers. They perform database control and administration functions associated with database operations, performance, and integrity. Support services are also provided for developing Automated Information Systems (AIS's) such as requirements analysis, database design, and implementation and maintenance strategies of database applications. MySQL The MySQL database system is comprised of several instances, utilized by AIS within the USPTO organization. The databases are used to collect and store data that can be parsed and used to generate reports in several ways by running scripts in the MySQL application. The MySQL system utilizes the SQL language; the components utilized by MySQL are not within the boundary of this system and reside in the boundary based on the OS. The Database Administration Section (DAS) manages and maintains database management software installed on enterprise and application servers. They perform database control and administration functions associated with database operations, performance, and integrity. Support services are also provided for developing Automated Information Systems (AIS's) such as requirements analysis, database design, and implementation and maintenance strategies of database applications. Oracle The Oracle database system is comprised of multiple instances of the application, along with data storage. An instance consists of a set of operating-system processes and memory structures that interact with the storage. The Oracle Relational Database Management System (RDBMS) stores data logically in the form of table spaces and physically in the form of data files. The Database Services Branch manages and maintains database management software installed on enterprise and application servers. They perform database control and administration functions associated with database operations, performance, and integrity. Support services are

4 also provided for developing Automated Information Systems (AIS's) such as requirements analysis, database design, and implementation and maintenance strategies of database applications.

5 QUESTIONNAIRE 1. What information is collected (e.g., nature and source)? N/A, Data is not collected by the DBS system. Data is collected by USPTO systems and stored in database instances. The system that houses the instances is managed by the DBS system. There is a variety of information stored in databases that utilize the DBS software 2. Why is this information being collected (e.g., to determine eligibility)? N/A, Information is not directly collected or used by the DBS system. The data is collected by applications that utilize the database instances hosted by DBS. 3. What is the intended use of information (e.g., to verify existing data)? N/A. DBS houses the data that is stored via other information systems within USPTO. 4. With whom will the information be shared (e.g., another agency for a specified programmatic purpose)? N/A, The information maintained in the DBS databases is collected and utilized by USPTO AIS. The information is shared through the AIS and is not controlled by the DBS system. The information is shared with financial organizations to receive payment and with other government organizations such as Pay.gov on a need to know basis. 5. What opportunities do individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how can individuals grant consent? N/A, collection methods and the obligation to provide such information is not the responsibility of the DBS system. 6. How will the information be secured (e.g., administrative and technological controls)? Information within the databases will be secured consistent with government laws, regulations (e.g. NIST) and USPTO policy. 7. How will the data extract log and verify requirement be met? N/A, DBS houses the data that is stored via other information systems within USPTO. These other systems provide this functionality for the data that is being stored. 8. Is a system of records being created under the Privacy Act, 5 U.S.C. 552a? No, the DBS system is not responsible for the information or the records created within the instance. The record creation is the responsibility of the system collecting the information. The website provided provides all of the Systems of Records Notices for USPTO: 9. Are these records covered by a record control schedule approved by the National Archives and Records Administration (NARA)? Yes, the OCIO provides the requirements applicable to archiving and destroying information technology within USPTO.

6 SIGNATORY AUTHORITY Agreed: / / Larry Stanback Date Information System Owner Agreed: / / Rod Turk Date Senior Agency Information Security Officer Agreed: / / John B. Owens II Date Authorizing Official